553361 – xenconsoled causes several AVC denials

Bug 553361 - xenconsoled causes several AVC denials

Summary: xenconsoled causes several AVC denials

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	12
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-01-07 18:10 UTC by Ruben Kerkhof
Modified:	2010-01-19 19:41 UTC (History)
CC List:	2 users (show)
Fixed In Version:	3.6.32-69.fc12
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-01-19 19:41:46 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Xen patch for F12 (1.20 KB, application/octet-stream) 2010-01-07 18:40 UTC, Daniel Walsh	no flags	Details
View All

Description Ruben Kerkhof 2010-01-07 18:10:16 UTC

Description of problem:

virsh console gives the following error:
No console available for domain

Version-Release number of selected component (if applicable):

[ruben@fikkie ~]$ rpm -qf /usr/sbin/xenconsoled
xen-runtime-3.4.2-1.fc12.x86_64

[ruben@fikkie ~]$ rpm -q selinux-policy
selinux-policy-3.6.32-63.fc12.noarch

How reproducible:

run xm console in selinux enforcing mode

  
Actual results:

From audit.log:
type=AVC msg=audit(1262891149.001:26): avc:  denied  { read } for  pid=1361 comm="xenconsoled" name="nsswitch.conf" dev=dm-0 ino=553 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1262891149.026:27): avc:  denied  { read } for  pid=1361 comm="xenconsoled" name="nsswitch.conf" dev=dm-0 ino=553 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1262891149.032:28): avc:  denied  { read } for  pid=1361 comm="xenconsoled" name="group" dev=dm-0 ino=84 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1262891149.033:29): avc:  denied  { read } for  pid=1361 comm="xenconsoled" name="group" dev=dm-0 ino=84 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1262891149.033:30): avc:  denied  { setattr } for  pid=1361 comm="xenconsoled" name="1" dev=devpts ino=4 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:xen_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1262891149.033:31): avc:  denied  { setrlimit } for  pid=1981 comm="xenconsoled" scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:system_r:xenconsoled_t:s0 tclass=process
type=AVC msg=audit(1262891149.033:32): avc:  denied  { execute } for  pid=1981 comm="xenconsoled" name="pt_chown" dev=dm-0 ino=262481 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:ptchown_exec_t:s0 tclass=file
type=AVC msg=audit(1262891149.036:33): avc:  denied  { read } for  pid=1361 comm="xenconsoled" name="group" dev=dm-0 ino=84 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1262891149.036:34): avc:  denied  { read } for  pid=1361 comm="xenconsoled" name="group" dev=dm-0 ino=84 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1262891149.036:35): avc:  denied  { setattr } for  pid=1361 comm="xenconsoled" name="1" dev=devpts ino=4 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:xen_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1262891149.036:36): avc:  denied  { setrlimit } for  pid=1982 comm="xenconsoled" scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:system_r:xenconsoled_t:s0 tclass=process
type=AVC msg=audit(1262891149.036:37): avc:  denied  { execute } for  pid=1982 comm="xenconsoled" name="pt_chown" dev=dm-0 ino=262481 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:ptchown_exec_t:s0 tclass=file
type=AVC msg=audit(1262891149.038:38): avc:  denied  { read } for  pid=1361 comm="xenconsoled" name="group" dev=dm-0 ino=84 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1262891149.038:39): avc:  denied  { read } for  pid=1361 comm="xenconsoled" name="group" dev=dm-0 ino=84 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1262891149.038:40): avc:  denied  { setattr } for  pid=1361 comm="xenconsoled" name="1" dev=devpts ino=4 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:xen_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1262891149.038:41): avc:  denied  { setrlimit } for  pid=1983 comm="xenconsoled" scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:system_r:xenconsoled_t:s0 tclass=process
type=AVC msg=audit(1262891149.038:42): avc:  denied  { execute } for  pid=1983 comm="xenconsoled" name="pt_chown" dev=dm-0 ino=262481 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:ptchown_exec_t:s0 tclass=file
type=AVC msg=audit(1262891149.039:43): avc:  denied  { read } for  pid=1361 comm="xenconsoled" name="group" dev=dm-0 ino=84 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1262891149.039:44): avc:  denied  { read } for  pid=1361 comm="xenconsoled" name="group" dev=dm-0 ino=84 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1262891149.039:45): avc:  denied  { setattr } for  pid=1361 comm="xenconsoled" name="1" dev=devpts ino=4 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:xen_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1262891149.039:46): avc:  denied  { setrlimit } for  pid=1984 comm="xenconsoled" scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:system_r:xenconsoled_t:s0 tclass=process
type=AVC msg=audit(1262891149.040:47): avc:  denied  { execute } for  pid=1984 comm="xenconsoled" name="pt_chown" dev=dm-0 ino=262481 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:ptchown_exec_t:s0 tclass=file

Expected results:

a terminal window to my domU

Comment 1 Daniel Walsh 2010-01-07 18:40:15 UTC

First could you verify that your devpts line in /etc/fstab looks like

devpts                  /dev/pts                devpts  gid=5,mode=620  0 0

If not, you should make it look like that.  There was a bug in the F11 install, that set this wrong.

Comment 2 Daniel Walsh 2010-01-07 18:40:58 UTC

Created attachment 382304 [details]
Xen patch for F12

Miroslav can you add this patch.

Comment 3 Ruben Kerkhof 2010-01-07 19:05:38 UTC

Yes, it's there:

[ruben@fikkie ~]$ grep devpts /etc/fstab 
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0

Comment 4 Daniel Walsh 2010-01-07 19:27:47 UTC

Ok good, I guess this is new stuff that xconsole is executing ptchown.

Comment 5 Miroslav Grepl 2010-01-08 13:16:05 UTC

Fixed in selinux-policy-3.6.32-68.fc12.noarch

Comment 6 Fedora Update System 2010-01-12 23:27:59 UTC

selinux-policy-3.6.32-69.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0362

Comment 7 Fedora Update System 2010-01-19 19:40:48 UTC

selinux-policy-3.6.32-69.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.